I am unable to promote my newly installed Windows Server 2012 machine to a domain controller. I have two existing domain controllers. The primary is at Windows Server 2003 level, and is running W2003Server, and the secondary is running Windows Server 2003 R2. (Update: Originally this question asked about the non-fatal warning message about a domain controller-could-not-be-located, which is normal when upgrading from Windows Server 2003, as it's impossible to create a Read-only domain controller when the active directory forest is at the 2003 functional level, so in my opinion that warning should be quashed. After continuing through several more similarly scary looking errors, I finally got to the real error which is an AdPrep
related error.)
On the new Win2012 server box, joining the domain as a server that is a member of the domain worked fine. But the AD DS Cfg Wiz freezes for about 100 seconds, it goes from page 1 of the wizard to page 2 (which shows site name combo box and two password entry edit boxes for DSRM password) then I get this error in Active Directory Domain Services Configuration wizard.
At first I thought this was the real error. But it's just a roadblock in my way that I continue past:
Domain Controller Options
A domain controller running Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 could not be located in this domain. To install a read-only domain controller, the domain must have a domain controller running Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
[OK]
Next I get a few more similar "You can't check this checkbox so we've grayed it out for you" messages that you can continue past.
Next this one:
Error determining whether the target environment requires adprep: Validation error:
Validation error: Unable to check forest upgrade status for server
SERVERNAME.localdomain.local.
Exception: The specified server cannot perform the requested operation
Details:Test.VerifyForestUpgradeStatus.ADPrep.Win32Exception.-2147467259
[ OK ]
Has anyone gotten a Domain at 2003 level up to 2012?
Update Turns out I had no active schema master on the domain.
Update2 For make benefit of Future Users with this error, I've shown the screenshot with the errors I saw:
Is your forest/domain functional level at 2003? You should be able to add a 2012 domain controller into a 2003 forest - provided the forest is at the 2003 functional level.
edit: Also, check your DNS settings and make sure they are correct and that you can resolve the proper srv records to locate the domain controllers
edit2: If you are trying to install a RODC, you will need to have a 2008 writable DC to install a read-only DC.
If all your domain controllers are at least Windows Server 2003 and both your domain and forest functional levels are set to at least Windows Server 2003, adding a Windows Server 2012 DC should work fine:
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels
The only situation where you'll need at least a Windows Server 2008 DC is if you're adding a read-only domain controller.
Edit:
If the message you are getting is the one shown here, then it's only a warning (as should be clear from the yellow exclamation point icon); it will not stop you from continuing, unless you're actually trying to install a RODC.
You need to run the requisite
adprep /forestprep
andadprep /domainprep
commands from the 2012 DVD.It turns out I had no active Schema Master on my domain. I asked here about how to get the active schema owner. The name was valid but the machine name was a name that had long since been powered down and decommissioned, but nobody transferred the schema master role before it died.
Here is what I had to do:
While windows server 2012 tries to save you from running adprep, it can't do it in some cases. In my case, someone had created a domain controller and transferred the PDC role to a server but not the schema master role, then retired the schema master server without transferring the schema master role normally. Diagnosing issues like this, when moving up from a 9 year old version of windows to the latest version, is hard because in Windows Server 2012, you get Win32 errors and these errors are just large negative integer values as shown in my question. But even attempts to upgrade from 2003 to 2008 R2 were similarly blocked, and no helpful error messages were displayed. Of course that's typical for ActiveDirectory issues. Reading logs and running command line diagnostic utilities is part of the standard "flow chart for troubleshooting" if you go look on TechNet. It's a giant tar-pit of accidental complexity.
In cases like the above, you only get useful errors when you run AdPrep in standalone mode. Sadly, only 64 bit adprep comes with windows server 2012. use 2008 r2 install dvd to get 32 bit adprep32.exe.
Researching the errors from running the Windows 2008 R2 version of AdPrep in standalone commandline mode I found it came down to the fact that I had to make sure a domain controller machine with the Schema Master role even exists, and is live on the network. Note that the version of AdPrep that is on the Windows Server 2012 is designed to run from your 2012 server, not on your role master machines, as has previously been the case for AdPrep usage. If you try to run the AdPrep tool on a 32 bit Windows Server 2003 machine you'll get stuck because AdPrep.exe won't even run and print any error message out, on your 32 bit machine. In my case, none existed and I had to use this link to "seize" the Schema Master role using the NTDSUTIL main help:
http://technet.microsoft.com/en-us/library/cc976711.aspx
Specific help for seizing the schema master:
http://technet.microsoft.com/en-us/library/cc783650(v=ws.10).aspx
As I said in step 1, most people won't have this problem, but the confusion in amateur-IT circles may lead others to having similar problems.
I have also asked how to identify the active schema master name, from the command line in the linked question and this command works to find out who the schema master is:
Then I ran
ntdsutil
as detailed in point #3 above, seized the Schema Master role to repair the domain, and after that, I could runadprep
normally:And then
adprep
works. Note that you're still not done. The Windows Server 2012 domain controller setup will still fail on any of hundreds of other problems, too many to list here. Other things I had to do to get it to work:Remove Symantec Endpoint Protection and Disable Windows Firewall, so that WMI works over the network, which is required for the new domain controller talking to the old domain controller.
Repair a few DNS configuration errors and then run
ipconfig /flushdns
, including removing decomissioned servers that had not been properly decomissioned which means basically going to the AD management screen and deleting those servers. Other DNS errors might include lack of reverse-DNS records, etc.Ensure that if you get errors communicating via WMI/DCOM that you repair the service permissions or other errors that can block WMI and DCOM from working.
For me, this issue happened due to a failed seizure of the naming master. I had to re-seize the domain master role again to resolve this issue. I discovered that something was up when I ran the "netdom query fsmo" command and it gave me an error after the first role trying to enumerate all the FSMO roles.
I was able to check the FSMO roles individually in Active Directory Computers and Users and Active Directory Domains and Trusts. When I was checking the Domain Naming Master in AD Domains and Trusts it wasn't able to list the current Domain Naming Master and consequently didn't let me change it to the server. I then followed the steps layed out on "https://technet.microsoft.com/en-us/library/cc816779(v=ws.10).aspx" to seize the naming master Worked like a charm!
It seems the error points to a network connectivity issue between the new DC being promoted and the existing DCs on the domain. I had the same error "error determining whether the target environment requires adprep". This was caused by the schema master being on a different site and the firewall between was not allowing the new DC to connect to it. Once the flow had been added to the firewall for the new server the error went and the promotion to DC went forward without incident.
This can happen when you rename a DC during a migration. Best Practices would be to install DNS first then you shouldn't see this error. Hack around is to choose remove role, it will fail, close and the error will be removed.